三个月修改密码真的就能提升信息安全么？

你有多久没有改过银行卡的密码了?假如银行让你三个月必须修改一次密码，而且新密码不能重复使用最近5次使用过的密码，你会不会疯掉？


最近我实施的某个项目过程中，大量用户抱怨信息系统三个月更改账户密码的策略实在非常麻烦，甚至是“扰民”。三个月的时间很快就过去了，用户不得不重新修改密码，而且根据信息系统密码复杂度的要求，“不能重复使用最近5次使用过的密码”，所以用户不得不创建很多不常用且难于记忆的新密码，很容易就忘记密码，不得不重新申请设置，这个对于用户来说体验确实非常不好，对于正常的工作也是一种骚扰。

三个月修改密码就真的就能提升信息安全么？某种程度上，这样的密码策略确实能够把可能遭受信息损失降低一些，比如，黑客从某种途径获取或破解了用户的密码，他可以在这三个月内访问系统，但是三个月后，密码将会过期，企业/用户的信息损失也就到此为止了。但事实真的是这样的么？微软几年前一份研究报告：Frequent password changes are useless

Microsoft undertook the study to gauge how effectively frequent password changes thwart cyberattacks, and found that the advice generally doesn't make much sense, since, as the study notes, someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. "That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door," the Globe says. On the bright side, changing your password isn't harmful, either, unless you use overly short or obvious passwords or you're sloppy about how you remember them. (Many users forced to change their password too frequently resort to writing them on sticky notes attached to their monitor, about the worst possible computer security behavior you can undertake.) Rather, frequent password changes are simply a waste of time and, therefore, money. According to the Microsoft researcher's very rough calculations: To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm. No one can cite a real statistic on password changes' averted losses, but few would estimate it's anywhere approaching $16 billion a year.

个人观点，对于企业内部信息系统，定期修改密码可能还是有必要的，但真的没必要是三个月这么短的时间，我们需要在安全性和用户体验间寻找一个更为合适的平衡，适当的放宽标准是非常有必要的。
推荐阅读：Study: Frequent password changes are uselesshttp://web.archive.org/web/20100423185209/http://news.yahoo.com/s/ytech_wguy/20100413/tc_ytech_wguy/ytech_wguy_tc1590Why do we annoy our users?http://www.sicpers.info/2010/03/why-do-we-annoy-our-users/Please do not change your passwordhttp://web.archive.org/web/20100414135812/http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=fullWhy Changing Your Passwords Often May Be a Waste of Timehttp://lifehacker.com/5966214/how-often-should-i-change-my-passwordsHow does changing your password every 90 days increase security?http://security.stackexchange.com/questions/4704/how-does-changing-your-password-every-90-days-increase-security